By Diana Ion.

Too many times overlooked by common security measures, side channels can offer attackers new avenues for information gathering and possibly much more. 

A simple definition of a side-channel is something that enables you to find out something about a thing without directly observing that thing.   

Think of a quiet neighborhood during wintertime.  All roofs are covered by snow, except for one. Naturally, you would think about something shady going on there and you could be right. Meth labs release a lot of heat and the effect of this on the snowy roof gives you information about what is possibly happening inside without you needing to actually look. This is an example of a thermal channel. 

Another example that should be familiar to you from one of the spy movies you have watched, is the classic trick of using a stethoscope to listen to a safe’s mechanism while rotating the dial with the obvious aim of opening the safe. The side channel in this case is the sound. 

Up to this point, it should be clear that a side-channel constitutes a consequence of a particular action. Now it comes the most interesting part.  Cryptographic implementations are based on computations at the bit/byte level. While performing these computations, computers are using electric power. If you are observing the power trace from a chip running AES or DES on an oscilloscope, you will see discernable patterns coming from the number of rounds, the memory access, or other algorithmic detail. This process is called simple power analysis and is a type of direct implementation attack.  

An implementation attack targets faults in the hardware/software implementation of an algorithm and not in the design of the algorithm per se.  

A more advanced attack that can also be used to find the key used in AES encryption is differential power analysis. Here, the attacker needs access to the device for collecting power traces during normal AES encryptions. With an available set of measurements, the attacker creates a model of the side-channel, inputs a hypothetical key, takes the given output, and performs a statistical analysis between his output and the real output. Perseverance and patience must be employed.  

I am curious sometimes and, during one lazy quarantine day, I decided to give it a try myself and break AES encryption with power analysis. I found a dataset of measurements online and wrote a Python script. The key size was 128-bits, meaning 16 bytes. Probably you know that AES-128 consists of 10 rounds with each round, except the last one, performing some particular operations (SubBytes, ShiftRows, MixColumn, AddROundKey). If these are unfamiliar to you, please do a Google search for AES rounds. To make my life easier and prove that the key is breakable, I only attempted to break the first byte of the key, after the SubBytes operation.  This means running through all the possible key values for the first byte (0 through 255), encrypting the plaintext with each one and compare the end results.

I will not go further into detail as I do not want you to get bored. My point here is that faulty implementations can leak sensitive.  Do not underestimate the ingenuity of attackers when talking about methods for speeding up computations. There are profile attacks and deep learning techniques that need only a small number of measurements to break the encryption. Common methods of combating side-channel attacks are usually divided into ‘hiding’ and ‘masking’.  These can be done at any level: transistor level, program level, algorithmic level, or protocol level. We will explore these in a future article. 

By Farhan Subhan.

Throughout our time on planet Earth, there have been major developments in nearly all aspects of life; from the industrial revolution to the events revolving around Y2K. Even with the doubts of the year 2000, and how calendar storage data was going to be affected due to the transition into the new generation, technology has undoubtedly grown exponentially into being a very integral part of our personal and business lives. However, in nearly all cases of growth, there are some struggles. In this case, data breaches. Data breaches can be found in many forms e.g. phishing, loss or theft of hard copy notes, ransomware, and unauthorized access. Concerning the extent of the data breach, this can vary from losing your credit card information to huge multinational corporations with employee and customer data at risk.

The actual data breach does not have to be in a digital form in order to be considered a data breach. But as we have transitioned into a digital society, these breaches have also evolved from classified papers in a brief case being stolen to online pirates procuring over a million credit card details and being sold on the black market. A breach does not necessarily mean that it is stolen per se, but if said protected data was to become accessible then it is considered to be a breach. The question that we ask now is, what do these attackers do with these pieces of data? One answer is: capitalize on the data. Attackers will either want to take advantage of credit card information instantly, or they hold onto it and then start to slowly take advantage of said persons information for many years. 

Since the start of the Millennium there have been many, yet unsurprising, data breaches within huge multinational corporations. The nature of the data that was exposed is varied amongst these companies, for e.g. if we look at companies like Yahoo and MySpace we can see that the type of attackers who were responsible for these breaches were in fact identity thieves. We will now look at examples of the biggest data breaches within multinational corporations since the start of the 21st century:

 MyFitnessPal

In February 2018, MyFitnessPal was subject to a data breach where 617 million customers had their accounts leaked and offered for sale on the black market, around the same time that Dubsmash. The company did acknowledge this breach and then advised customers to then change their passwords and help them improve their security. However, they did not share how many were affected nor did they explain how their data was compromised.

 Adobe

In October 2013, Adobe reported that hackers had stolen nearly 3 million customer credit cards as well as login data for an undisclosed amount of user accounts. Consequently, later during that month, they mentioned that ID’s and encrypted passwords for 38 million users were included in the compromised data. Unfortunately, this amount surpassed 150 million users resulting in Adobe to pay $1.1 million in legal fees and an undisclosed amount to user for violation of the Customer Records Act. 

LinkedIn

This major social networking platform for business professionals had become a target for social engineering attacks but in 2012 the site also had user data leaked. 6.5 million passwords were stolen and posted onto a Russian hacker forum, but it took four years for the incident to be revealed. The hacker was then found to be selling the data for 5 bitcoins, which resulted in LinkedIn resetting the passwords of the affected accounts. 

As with most errors, these breaches could have been prevented if the companies mentioned above had taken the correct steps in order to prevent these breaches. If the companies had undertaken regular risk assessments then they could have made sure that the procedures used to deal with data were in fact correct but if there were any errors, then they could have made sure this was rectified in order to prevent the data from being leaked. After these leaks, the company could invest more money in staff training for cyber security so that employees are taught more about data breaches and the common mistakes which can lead to a data breach. Incorporating this within the company’s culture will be beneficial for the foreseeable future. 

To conclude, data breaches still do exist in many forms ranging from phishing attacks to huge data losses by corporations. These breaches will still continue to exist in our society unless people are made aware of what cyber security has to offer and actually be inclined to learn more about it which can then be incorporated into their personal and work lives, so that data breaches can be brought to a minimum.

By Diana Ion.

It is common knowledge in the security community that it is not a question of “IF a system fails” but more of “WHEN a system fails”. Having 100% coverage against attacks is impossible since your controls can never fail while an attacker needs only one lucky strike to succeed.

Always aiming for better security features and taking better mitigations steps is something each company needs to do. A crucial part of staying ahead is having a system for monitoring your network. The goal of security monitoring is to give you an actionable and comprehensive insight and alerts that indicate required actions to mitigate the potential impact on your company.

A Security Operations Center (SOC) is not only a room full of screens, but it is also a team of people with very specific tools, skills, and processes.

To better imagine how a SOC would fit into a company’s security landscape, we will discuss the case of a fictional financial company X with 50.000 employees. In order to stay in business and continue to earn billions, the company must update its traditional security perimeter and create a security awareness culture at the workplace. Because X is a financial institution and it is 2020, the biggest threats are the cyber ones. The company understands the danger and is willing to invest as much as it’s necessary to be one step ahead of the adversary. In addition, there are certain requirements and standards that a financial company needs to meet in terms of security. Until now, there were no serious security breaches or attempts to steal sensitive data.

The company aims for a permanent internal SOC with full-time employees. The SOC team should have around 80-100 members in accordance to the company size of 50.000 employees. Ideally, the company will have a huge room with walls full of large screens where only SOC employees have permission to enter. State of the art physical and cybersecurity has to be deployed for this room.

Initially, the company starts with a dedicated SOC and will shortly transition to a multifunctional SOC/NOC, hiring more specialists to perform both functions. The main features of the new SOC will be concentrated around the following areas:

-control and digital forensics

-monitoring and risk management

-network and system administration

In terms of what tools are needed in order to perform the aforementioned functions in an efficient manner, the best solution is to use a next-generation Security Information and Event Management (SIEM) system which gathers data from different sources across the company and uses Machine Learning combined with behavioral analytics to identify security incidents with 99,99% accuracy. It will then try to isolate and contain these threats using built-in capabilities.

Because the SIEM system will be so advanced and accurate in identifying threat events, the traditional SOC staff hierarchy will change. The role of Tier 1 Analyst whose responsibilities were to monitor and prioritize the alerts will slowly disappear. The new Tier 1 will be represented by the Incident Responder who will assist the system in containment, remediation, and recovery.

The most fun job will be of course the threat hunter whose duties are to conduct penetration tests and hunt for yet undiscovered threats. This is an individual who reads every day about new cyber emerging threats and makes sure the company is not a victim of one of them.

The first step is data gathering, this data consists of system logs and events from other security tools. The next-generation SIEM has pre-built connectors so that it can access logs and event data directly from the cloud. Data collection is enabled via an agent installed on devices across the company. This data is stored in an ElasticSearch data lake and is being normalized in a format that enables analysis. A huge advantage of harnessing the power of data lake technology is that it gives analysts fast and easy access to unlimited volumes of historic data. This is extraordinarily useful for threat hunting.

Complex Machine Learning algorithms and behavioural analytics are used to make correlations and discover suspicious activities like lateral movement, insider threats, and data exfiltration. An event is marked as suspicious when tested against established baselines. The “normal” behaviour for groups of users or devices is determined by the system using Data Science capabilities after monitoring the operations for a certain time. This increases the accuracy of threat detection.

Real-time alerts are sent immediately and the screens in the room light up red. The analysts will now try to dig deeper and understand how the threat is affecting the company systems. The SIEM system can provide context around the incident and help analysts. For remediation and mitigations, the analysts need to have a view of the status and activity of critical security and IT systems. Once again, the SIEM system can give analysts visibility and can even use Security Orchestration and Automation to automatically perform containment actions.

Because the management and other regulatory bodies need to check the performance of the company’s security, SIEM will produce reports and audits describing each incident or breach as well as providing a comprehensive overview showing the exact activity levels and how well the staff deals with the current workload. The most relevant metrics are the following:

·       Mean time to detection (MTTD) which represents the average time until SOC detects an incident. It shows the effectiveness in processing the alerts and identifying real incidents

·       Mean time to resolution (MTTR) which represents the average time until the threat is totally neutralized. It shows the effectiveness in response coordination and taking appropriate measured to isolate and neutralize the threat.

·       Total cases per month which represent the number of detected and processed incidents. It shows the workload level and the scale of action the SOC is managing. It could be an important metric in hiring decisions.

·       Types of cases which classify the incidents by type. It helps to focus on security measures towards the most dominant threats

The ultimate goal of the company regarding cybersecurity is to be mature. This will require continuous innovation and improvements. Of course, the proposed solution has some limitations: skilled employees are hard to find, high costs, and hard integrations with legacy systems.

The lack of skilled staff in cybersecurity is a real problem and the company can choose to create its own training programs for selected candidates.

By Atul Periwal.

You might be thinking of how a wallpaper can be a medium of malware? There might be an error but no, a wallpaper on android phone can be used as a medium of malware to crash your android mobile phone.

The image above, which can be directly downloaded from Google images, causes certain android phones to crash.

What is malware?

Before I explain to you about wallpaper as a medium of malware, I will explain about malware first. So basically malware is a paragliding word for malware that includes viruses, Trojan, ransomware, keyloggers, spyware, adware, worms, and so on. The exact motive can differ depending on the specific malware. The mutual interest among all of them is that they are all created with the goal of d and destruction.

Malware Wallpaper: What is it?

A member of Twitter i.e. Ice universe issued a warning on Twitter which states, “Never set this picture as wallpaper, especially for Samsung mobile phone users! It will cause your phone to crash! Don’t try it! If someone sends you this picture, please ignore it.”

When you download this image and set is as a wallpaper, an android phones tend to crash that make us to assume the maker of an image can have malicious intent. While some mobile phones after the crash can be rebooted and used in safe mode, some mobile phones can’t be recover. In such a scenario, it is natural to think that the picture has inserted some code that has caused the phone to crash.

To create this, the attacker has used the method called steganography. Using steganography, an attacker can insert malicious code in image and can send the image through different forms. Once the image is downloaded and opened, malicious code will automatically run on the device and perform its actions.

Malware Wallpaper: Causes

The investigation took place for this image and it was found that the image color changed when it was uploaded to Weibo. After the further investigation, they looked into the metadata of the image and discovered that Google Skia has a peculiar ICC colour profile-E3CADAB7BD3DE5E3436874D2A9DEE126. The investigation lead to the following:-

            Dimension: 1440 * 2560

            Colour space: RGB

            Colour profile: Google/Skia/ E3CADAB7BD3DE5E3436874D2A9DEE126

The colour profile for some Android devices tend to trip Google Skia’s graphics engine forcing them to reboot.

Technically while attempting to load the wallpaper with the embedded color profile, com.android.systemui.glwallpaper. ImageProcessHelper crashes from an ArrayIndexOutOfBoundsException.

When Android UI loads, the wallpaper loads which triggers another reboot. Due to that, the smartphone get stuck in a boot loop – which keep on rebooting when the wallpaper start loading.

Malware Wallpaper: Solutions

We can use a photo editor (like Photoshop) to remove the ICC color profile from the image and save the image without embedded color profile. It won’t trigger the malware, when we take a screenshot of the image and set it as a wallpaper. Another way is to use an EXIF software or app to remove the metadata from it which will also remove the colour profile. The only problem if we remove the colour profile is that it will make the image look less vivid.  

Conclusion

This wallpaper looks aesthetically beautiful but is it really important to download a wallpaper from an unknown sites or get it from a known or an unknown person? You might have a question as to what the problem is in transferring a picture from a known person. How would you know about the main source from where the wallpaper has been downloaded?

Don’t just get attracted to such wallpapers and download it from an unknown source. If you like to download it and set it as a wallpaper, download it from credible source like your phone company’s official Website/App. Please be safe and alert from the different methods that are used by attackers which causes harm to your digital systems as well as from Coronavirus that can harm your body system.